[Python-Dev] Status of packaging in 3.3
Donald Stufft
donald.stufft at gmail.com
Fri Jun 22 23:06:06 CEST 2012
On Friday, June 22, 2012 at 4:55 PM, Terry Reedy wrote:
>
> Every time windows users download and install a binary, they are taking
> a chance. I try to use a bit more sense than some people, but I know it
> is not risk free. There *is* a third party site that builds installers,
> but should I trust it? I would prefer that (except perhaps for known and
> trusted authors) PyPI compile binaries, perhaps after running code
> through a security checker, followed by running it through one or more
> virus checkers.
>
I think you overestimate the abilities of "security checkers" and antivirus. Installing
from PyPI is a risk, wether you use source or binaries. There is currently not
a very good security story for installing python packages from PyPI (not all of this
falls on PyPI), but even if we get to a point there is, PyPI can never be as
safe as installing from RPM's or DEB and somewhat mores in the case of binaries. You
_have_ to make a case by case choice if you trust the authors/maintainers of a
particular package.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120622/a5c0270f/attachment.html>
More information about the Python-Dev
mailing list